Which Router/firewall Would You Use For A Virtual-PBX Asterisk Installation?

Home » Asterisk Users » Which Router/firewall Would You Use For A Virtual-PBX Asterisk Installation?
Asterisk Users 4 Comments

Hi everyone.

We’ve got a fairly large base of customers who use our Asterisk server for phone service in a virtual PBX kind of way, where the server is security hardened and exposed to the internet for them to connect to remotely with SIP and IAX. It’s certainly not the sort of affair where we’re running it as a PBX just within the building. As a result, we see network traffic coming through eth0 between 512 Kbps and about 3.0 Mbps, depending on the time of day.

We haven’t so far been using a hardware firewall/router on our server network, but it’s becoming increasingly clear that we need to. We have enough experience to know that Asterisk is pretty sensitive when it comes to network hardware in our situation – we’ve had to replace one otherwise perfectly good 100 Mbps network switch because it simply wasn’t able to keep up with the amount of streaming audio we put through it, and it badly affected voice quality. We have other traffic flowing through our server network too, including a significant amount of e-mail and web traffic, although that’s not quite as sensitive to the quality of our network hardware.

If you’ve got these large requirements for Asterisk, I’d love to hear what you use for a router, and whether that router has met your needs. It would also be nice to hear about what kinds of routers to avoid that you may have tried in the past and found lacking.

4 thoughts on - Which Router/firewall Would You Use For A Virtual-PBX Asterisk Installation?

  • I am working at a scale of about 10 Mbps and I am using customized pfSense setups. Essentially, I am also using Asterisk as a session border controller as part of the router/firewall. I am using a multi step procedure to keep unwanted traffic away from the application software, which includes geo IP filtering and blocking based on Snort alarms. So far I haven’t seen the necessity to block anything based on Asterisk logs, but I’ll plan to add that feature to pfBlockeNG as a custom IPv4 (and IPv6) list.

    It’s too early for recommendations or public demo software, but I am planning to add my SBC to pfSense 2.3 superseding the current Asterisk package. If necessary, pfSense allows for traffic shaping and a couple of other neat feature, that are usually not part of small firewalls.

    jg

  • Well router and firewall are very different…it depends on what you are trying to accomplish.

    If you are trying to secure an Asterisk-based call center, get a real security product. Look here for details:
    http://www.voip-info.org/wiki/view/Asterisk+security

    This covers firewall, Asterisk lock-down, and Asterisk specific security. The average break-in/fraud cost is $25,000 per day. (watch the Astricon videos for more details). So going cheap on security isn’t a smart move for a commercial installation.

    If you just want a router/switch, figure out the simultaneous call capacity x codec demands in bps, and there is your backplane switching speed requirements. Even with 100 simultaneous calls at g711, a lower end Cisco
    (3xx) router/switch will have no problem.

    -M-

    —–Original Message—

  • Oh, don’t worry about us going cheap on security. We use A2Billing
    (along with some Fail2Ban configuration for bad logins) to limit the number and cost of calls that can go out through a compromised SIP
    account, so that when, not *if*, a customer’s SIP account gets compromised, the attacker gets cut off at the knees before they can even get out the door. We’ve even added bogus connection charges on international calls that get removed before we bill our customers, to speed up the process and reduce our losses even further. Our customers are even happy that these billing limits are in place.

    No, this is all about playing nice with our load balancing software and protecting databases and backend servers that have no business being available to the public. But mostly it’s about the load balancer
    (IPTables on said servers can take care of “visible to the public). I
    just want to make sure that the router we use will play nice with Asterisk, since we’ve already seen network hardware that looks good on paper, but fails miserably in practice. In fact, we see it so often with individual customers’ crap routers causing voice quality issues, that by default we don’t trust simple math.

    So here I am, asking everyone what router they use, and whether you’re happy with the results when there’s 100 simultaneous SIP calls in progress. I want to know what happens when the rubber hits the road.

  • If you are focused on routing, we’ve used 4 Cisco SG300-28p in router mode –
    economical way to handle vlans etc for ~100 POE phone sets, (with GB
    interconnects). At the edge Cisco ASA-55xx work well, and we’ve done a few deployments with Mikrotik routers that are quite inexpensive and performed impresively for their cost.

    From a security standpoint, consider what happened last summer when hackers found an exploit in the FreePBX web interface. They rewrote the PBX
    dialplan, disabled CDR’s, and made unlimited calls to premium rate numbers. This was a real wakeup call for FreePBX users who though Fail2Ban was a security system, or CDR’s could be used to catch compromised accounts. Digium warns everyone that fail2ban is not a security system:
    http://forums.asterisk.org/viewtopic.php?p9984

    If you don’t want a security system on your PBX, see if your ITSP will limit your account to $X/day, restrict routes, etc.

    There are also some great Astricon videos online where they invite speakers to talk about security. You’ll see that fail2ban + A2Billing doesn’t keep out anyone except the script kiddies.

    —–Original Message—